1. Field of the Invention
Embodiments of the present invention generally relate to a computer system security and, more particularly, to a method and apparatus for automatically excluding false positives from detection as malware by a security module.
2. Description of the Related Art
In a typical computing environment, an organization may employ a number of technologies to process, protect and secure mission critical data. For instance, the organization may employ one or more security systems to detect and/or mitigate threats, such as malware (e.g., worms, viruses and/or the like), intrusions, SPAM and/or the like. Such security systems may include a plurality of client programs and a backend server that deploys various forms of information to the client programs, such as malware definitions, white lists, black lists, heuristics and/or the like.
Each computer of a plurality of computers may configure one or more anti-virus software client programs that utilize heuristics to perform the threat detection. The anti-virus software vendor may employ numerous techniques to create such heuristics, such as machine learning. These heuristics may include code-based invariants and/or activity-based patterns that are associated with malicious software activity. Accordingly, these anti-virus software client programs perform a security scan on a plurality of files to identify and/or mitigate the malicious software activity. Furthermore, the malicious software activity may correspond with a particular malware group.
These heuristics, nonetheless, may determine that a number of files include malicious software code when such files are, in fact, clean and legitimate. Such false positives may delay public deployment of the anti-virus software client programs, definitions and/or heuristics to the plurality of computers. In addition, the detection of any false positives negatively impact user experience. Handling malware detections prevents computer users from performing normal computer tasks. Valuable time and resources are wasted in order to discover that some malware detections are actually false positives.
Therefore, there is a need in the art for a method and apparatus for automatically identifying and preventing one or more false positives from detection as malware.